Merge branch 'feature/PI-165-environments' into release/2024-01-02

NHSDigital · Jan 2, 2024 · e5d07ea · e5d07ea
2 parents fd4e54f + 0cbbcb2
commit e5d07ea
Show file tree

Hide file tree

Showing 70 changed files with 1,075 additions and 233 deletions.
diff --git a/.github/actions/terraform/action.yml b/.github/actions/terraform/action.yml
@@ -4,13 +4,16 @@ inputs:
   command:
     description: "Terraform command to run"
     required: true
+  account:
+    description: "AWS account name"
+    required: true
   workspace:
     description: "Terraform workspace name"
     required: true
-  account-wide:
-    description: "If account-wide then specify 'account_wide'"
-    required: false
-    default: "non_account_wide"
+  scope:
+    description: "Terraform scope"
+    required: true
+    default: "per_workspace"
   cache-suffix:
     description: "[Optional] Cache suffix (e.g. 'base')"
     required: false
@@ -32,7 +35,7 @@ runs:
   steps:
     - uses: ./.github/actions/make/
       with:
-        command: terraform--${{ inputs.command }} TERRAFORM_WORKSPACE="${{ inputs.workspace }}" ACCOUNT_WIDE="${{ inputs.account-wide }}" PARAMETER_DEPLOY="${{ inputs.parameter-deploy }}"
+        command: terraform--${{ inputs.command }} AWS_ACCOUNT="${{ inputs.account }}" TERRAFORM_WORKSPACE="${{ inputs.workspace }}" TERRAFORM_SCOPE="${{ inputs.scope }}"
         requires-aws: true
         restore-from-cache: ${{ inputs.restore-from-cache }}
         save-to-cache: ${{ inputs.save-to-cache }}

diff --git a/.github/workflows/_deploy.yml b/.github/workflows/_deploy.yml
@@ -1,30 +1,29 @@
 on:
   workflow_call:
     inputs:
-      workspace:
-        required: true
-        default: dev
+      account:
+        description: The AWS account being deployed
         type: string
-      parameter-deploy:
-        required: false
+        required: true
+      workspace:
+        description: The Terraform workspace being deployed
         type: string
-        default: ""
-      account-wide:
-        required: false
+        required: true
+      scope:
+        description: The Terraform scope being deployed
         type: string
-        default: "non_account_wide"
+        required: true
 
 permissions:
   id-token: write
   contents: read
   actions: write
 
 env:
-  RUNNING_IN_CI: 1
+  ACCOUNT: ${{ inputs.account }}
   WORKSPACE: ${{ inputs.workspace }}
-  CACHE_NAME: ${{ inputs.workspace }}-cache
-  PARAMETER_DEPLOY: ${{ inputs.parameter-deploy }}
-  ACCOUNT_WIDE: ${{ inputs.account-wide }}
+  CACHE_NAME: ${{ inputs.workspace }}-${{ inputs.account }}-${{ inputs.scope }}
+  SCOPE: ${{ inputs.scope }}
   # SLACK_WEBHOOK_URL: ${{ secrets.DEPLOY_ENV_SLACK_HOOK_URL }}
   CI_ROLE_NAME: ${{ secrets.CI_ROLE_NAME }}
 
@@ -61,6 +60,7 @@ jobs:
           command: build
           save-to-cache: "true"
           restore-from-cache: "false"
+          cache-suffix: ${{ env.CACHE_NAME }}
 
   helpers--truststore-pull:
     needs: [get-branch-from-workflow-file, build]
@@ -83,11 +83,12 @@ jobs:
       - uses: ./.github/actions/terraform/
         with:
           command: init
+          account: ${{ env.ACCOUNT }}
           workspace: ${{ env.WORKSPACE }}
-          account-wide: ${{ env.ACCOUNT_WIDE }}
-          parameter-deploy: ${{ env.PARAMETER_DEPLOY }}
+          scope: ${{ env.SCOPE }}
           restore-from-cache: "true"
           save-to-cache: "true"
+          cache-suffix: ${{ env.CACHE_NAME }}
 
   terraform--plan:
     needs: [get-branch-from-workflow-file, terraform--init]
@@ -99,11 +100,12 @@ jobs:
       - uses: ./.github/actions/terraform/
         with:
           command: plan
+          account: ${{ env.ACCOUNT }}
           workspace: ${{ env.WORKSPACE }}
-          account-wide: ${{ env.ACCOUNT_WIDE }}
-          parameter-deploy: ${{ env.PARAMETER_DEPLOY }}
+          scope: ${{ env.SCOPE }}
           restore-from-cache: "true"
           save-to-cache: "true"
+          cache-suffix: ${{ env.CACHE_NAME }}
 
   terraform--apply:
     needs: [get-branch-from-workflow-file, terraform--plan]
@@ -115,11 +117,12 @@ jobs:
       - uses: ./.github/actions/terraform/
         with:
           command: apply
+          account: ${{ env.ACCOUNT }}
           workspace: ${{ env.WORKSPACE }}
-          account-wide: ${{ env.ACCOUNT_WIDE }}
-          parameter-deploy: ${{ env.PARAMETER_DEPLOY }}
+          scope: ${{ env.SCOPE }}
           restore-from-cache: "true"
           save-to-cache: "true"
+          cache-suffix: ${{ env.CACHE_NAME }}
 
   test--smoke:
     needs: [get-branch-from-workflow-file, terraform--apply]
@@ -146,7 +149,7 @@ jobs:
   message-slack:
     name: Notify slack of deployment
     needs: [get-branch-from-workflow-file, set-success]
-    if: ${{ always() }}
+    if: always()
     runs-on: [self-hosted, ci]
 
     steps:
@@ -156,7 +159,10 @@ jobs:
         with:
           payload: |
             {
+              "account": "${{ env.ACCOUNT }}",
               "environment": "${{ env.WORKSPACE }}",
               "result": "${{ needs.set-success.outputs.success && needs.set-success.outputs.success || 'failed' }}",
               "branch": "${{ needs.get-branch-from-workflow-file.outputs.branch_name }}"
             }
+        env:
+          SLACK_WEBHOOK_URL: ${{ secrets.DEPLOY_ENV_SLACK_HOOK_URL }}
diff --git a/.github/workflows/deploy-account-wide-resources-prod.yml b/.github/workflows/deploy-account-wide-resources-prod.yml
@@ -1,4 +1,4 @@
-name: "Deploy: Account Wide Resources - Production"
+name: "Deploy: Account Wide - Production"
 
 on:
   workflow_dispatch:
@@ -7,6 +7,7 @@ jobs:
   deploy:
     uses: ./.github/workflows/_deploy.yml
     with:
+      account: prod
       workspace: prod
-      account-wide: account_wide
+      scope: per_account/prod
     secrets: inherit # pragma: allowlist secret
diff --git a/.github/workflows/deploy-account-wide-resources.yml b/.github/workflows/deploy-account-wide-resources.yml
@@ -1,21 +1,23 @@
-name: "Deploy: Account Wide Resources - Nonprod"
+name: "Deploy: Account Wide - Nonprod"
 
 on:
   workflow_dispatch:
     inputs:
-      workspace:
-        description: Account to deploy to
+      account:
+        description: Account to deploy
         required: true
         default: dev
         type: choice
         options:
           - dev
-          - ref
+          - qa
           - int
+          - ref
 jobs:
   deploy:
     uses: ./.github/workflows/_deploy.yml
     with:
-      workspace: ${{ inputs.workspace }}
-      account-wide: account_wide
+      account: ${{ inputs.account }}
+      workspace: ${{ inputs.account }}
+      scope: "per_account/${{ inputs.account }}"
     secrets: inherit # pragma: allowlist secret
diff --git a/.github/workflows/deploy-nonprod-workspace.yml b/.github/workflows/deploy-nonprod-workspace.yml
@@ -3,23 +3,26 @@ name: "Deploy: Workspace - Nonprod"
 on:
   workflow_dispatch:
     inputs:
-      workspace:
-        description: Workspace to deploy to
+      account:
+        description: Account to deploy
         required: true
         default: dev
         type: choice
         options:
           - dev
-          - dev-sandbox
-          - ref
-          - ref-sandbox
+          - qa
           - int
-          - int-sandbox
+          - ref
+      sandbox:
+        description: Do you want to deploy the sandbox version?
+        type: boolean
+        default: false
 
 jobs:
   deploy:
     uses: ./.github/workflows/_deploy.yml
     with:
-      workspace: ${{ inputs.workspace }}
-      account-wide: non_account_wide
+      account: ${{ inputs.account }}
+      workspace: ${{ inputs.account }}${{ inputs.sandbox == 'true' && '-sandbox' || '' }}
+      scope: "per_workspace"
     secrets: inherit # pragma: allowlist secret
diff --git a/.github/workflows/deploy-parameters-nonprod.yml b/.github/workflows/deploy-parameters-nonprod.yml
@@ -3,21 +3,22 @@ name: "Deploy: Parameters - Nonprod"
 on:
   workflow_dispatch:
     inputs:
-      workspace:
-        description: Workspace to deploy to
+      account:
+        description: Account to deploy
         required: true
         default: dev
         type: choice
         options:
           - dev
-          - ref
+          - qa
           - int
+          - ref
 
 jobs:
   deploy:
     uses: ./.github/workflows/_deploy.yml
     with:
-      workspace: ${{ inputs.workspace }}
-      parameter-deploy: "parameter_deploy"
-      account-wide: "account_wide"
+      account: ${{ inputs.account }}
+      workspace: ${{ inputs.account }}
+      scope: "per_account/${{ inputs.account }}/parameters"
     secrets: inherit # pragma: allowlist secret
diff --git a/.github/workflows/deploy-parameters-prod.yml b/.github/workflows/deploy-parameters-prod.yml
@@ -7,7 +7,7 @@ jobs:
   deploy:
     uses: ./.github/workflows/_deploy.yml
     with:
+      account: prod
       workspace: prod
-      parameter-deploy: "parameter_deploy"
-      account-wide: "account_wide"
+      scope: per_account/prod/parameters
     secrets: inherit # pragma: allowlist secret
diff --git a/.github/workflows/deploy-prod-workspace.yml b/.github/workflows/deploy-prod-workspace.yml
@@ -7,6 +7,7 @@ jobs:
   deploy:
     uses: ./.github/workflows/_deploy.yml
     with:
+      account: prod
       workspace: prod
-      account-wide: non_account_wide
+      scope: per_workspace
     secrets: inherit # pragma: allowlist secret
diff --git a/.github/workflows/destroy-expired-workspaces.yml b/.github/workflows/destroy-expired-workspaces.yml
@@ -14,7 +14,6 @@ env:
   AWS_DEFAULT_REGION: eu-west-2
   TF_CLI_ARGS: -no-color
   CI_ROLE_NAME: ${{ secrets.CI_ROLE_NAME }}
-  RUNNING_IN_CI: 1
   BRANCH_NAME: ${{ github.ref_name }}
 
 jobs:

diff --git a/.github/workflows/pull-requests.yml b/.github/workflows/pull-requests.yml
@@ -12,7 +12,6 @@ env:
   BASE_BRANCH_NAME: ${{ github.event.pull_request.base.ref }}
   BRANCH_NAME: ${{ github.event.pull_request.head.ref }}
   CI_ROLE_NAME: ${{ secrets.CI_ROLE_NAME }}
-  RUNNING_IN_CI: 1
   BRANCH_GITHUB_SHA_SHORT: $(echo ${{ github.event.pull_request.head.sha }} | cut -c 1-7)
   TF_CLI_ARGS: -no-color
 
@@ -136,7 +135,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
         with:
-          ref: ${{ env.BASE_BRANCH_NAME }}
+          ref: ${{ env.BRANCH_NAME }} # ${{ env.BASE_BRANCH_NAME }}
       - uses: ./.github/actions/terraform/
         with:
           command: plan

diff --git a/infrastructure/terraform/etc/int.tfvars b/infrastructure/terraform/etc/int.tfvars
@@ -0,0 +1,2 @@
+account_name = "int"
+environment  = "int"
diff --git a/infrastructure/terraform/etc/mgmt.tfvars b/infrastructure/terraform/etc/mgmt.tfvars
@@ -0,0 +1,2 @@
+account_name = "mgmt"
+environment  = "mgmt"
diff --git a/infrastructure/terraform/etc/prod.tfvars b/infrastructure/terraform/etc/prod.tfvars
@@ -0,0 +1,2 @@
+account_name = "prod"
+environment  = "prod"
diff --git a/infrastructure/terraform/etc/qa.tfvars b/infrastructure/terraform/etc/qa.tfvars
@@ -0,0 +1,2 @@
+account_name = "qa"
+environment  = "qa"
diff --git a/infrastructure/terraform/etc/ref.tfvars b/infrastructure/terraform/etc/ref.tfvars
@@ -0,0 +1,2 @@
+account_name = "ref"
+environment  = "ref"
diff --git a/infrastructure/terraform/per_account/dev/parameters/main.tf b/infrastructure/terraform/per_account/dev/parameters/main.tf
@@ -27,6 +27,6 @@ JSON
   }
 }
 
-resource "aws_secretsmanager_secret" "dev-apigee-credentials" {
+resource "aws_secretsmanager_secret" "apigee-credentials" {
   name = "${terraform.workspace}-apigee-credentials"
 }
diff --git a/infrastructure/terraform/per_account/dev/vars.tf b/infrastructure/terraform/per_account/dev/vars.tf
@@ -17,3 +17,7 @@ variable "expiration_date" {
 variable "updated_date" {
   default = "NEVER"
 }
+
+variable "workspace_type" {
+  default = "PERSISTENT"
+}
diff --git a/infrastructure/terraform/per_account/int/locals.tf b/infrastructure/terraform/per_account/int/locals.tf
@@ -0,0 +1,5 @@
+locals {
+  region       = "eu-west-2"
+  project      = "nhse-cpm"
+  current_time = timestamp()
+}
diff --git a/infrastructure/terraform/per_account/int/main.tf b/infrastructure/terraform/per_account/int/main.tf
@@ -0,0 +1,33 @@
+resource "aws_resourcegroups_group" "resource_group" {
+  name        = "${local.project}--${replace(terraform.workspace, "_", "-")}--account-wide-resource-group"
+  description = "PERSISTENT ${upper(terraform.workspace)} account-wide resource group."
+  tags = {
+    Name           = "${local.project}--${replace(terraform.workspace, "_", "-")}--account-wide-resource-group"
+    CreatedOn      = var.updated_date
+    LastUpdated    = var.updated_date
+    ExpirationDate = var.expiration_date
+  }
+
+  lifecycle {
+    ignore_changes = [tags["CreatedOn"]]
+  }
+
+  resource_query {
+    query = <<JSON
+{
+  "ResourceTypeFilters": ["AWS::AllSupported"],
+  "TagFilters": [
+    {
+      "Key": "Workspace",
+      "Values": ["${replace(terraform.workspace, "_", "-")}-account-wide"]
+    }
+  ]
+}
+JSON
+  }
+}
+
+module "iam__api-gateway-to-cloudwatch" {
+  source  = "../modules/iam__api-gateway-to-cloudwatch"
+  project = local.project
+}
diff --git a/infrastructure/terraform/per_account/int/parameters/locals.tf b/infrastructure/terraform/per_account/int/parameters/locals.tf
@@ -0,0 +1,5 @@
+locals {
+  region       = "eu-west-2"
+  project      = "nhse-cpm"
+  current_time = timestamp()
+}